When someone enters an open identifier on your site, you authenticate the user by asking the site on which the OpenID user lives (and only that site), if that user is ok. For example, AOL cannot validate the Yahoo OpenID.
If the user is not yet authenticated on this site, authentication fails and you need to be redirected to the site login page. Real authentication still needs to happen, but it always happens with the OpenID provider for this user. As a user, you are protected because you only need to see the login page that you are familiar with. It will be difficult for a malicious site to synchronize OpenID credentials, as users never give these sites their passwords directly.
As soon as the user is authenticated using his provider (or if he is in "get-go" mode), the provider will report this to your website. What changes for OpenID is that your site should now trust some other sites - that they will accurately report the status to their users.
Someone might set up a βmaliciousβ public identifier provider and try to disable the new identifiers this way, but it could be between the user and the provider. Since this authentication is about reputation, the idea is that such a provider will not stay in the business for long. If nothing else, sites may blacklist these providers. A malicious provider will not be able to impersonate public identifiers registered with other providers.
Another possibility for a malicious provider is to install the OpenID service, which always always confirms any identifier passed to it for authentication (or allows the administrator to configure a back door for it). However, this will only affect users registered with this provider. Again, sites may blacklist these suppliers, and since they take on a reputation, an idea that would not remain in the business for a long time remains.
Joel Coehoorn Nov 25 '08 at 20:21 2008-11-25 20:21
source share